In a strongly worded decision, Europe’s highest court yesterday struck down the Safe Harbor accord enabling transatlantic data transfers between the United States and the European Union. The European Court of Justice (“ECJ”) ruled that United States’ Safe Harbour scheme fails in two fundamental ways: first, it fails to provide an adequate level of protection for EU citizens’ data; and, second, it offers EU citizens no judicial means of redress in the United States and denies EU data protection authorities the power to review complaints challenging the validity of the data transfers to third-party countries. The impact of this decision has the potential to be far reaching.
Of great significance is the ECJ’s ruling that, in determining whether another jurisdiction’s scheme affords adequate protection under EU data protection laws (thereby permitting data transfers), one must look not simply at the proposed scheme, but also at the domestic laws and international commitments of the jurisdiction in question to determine whether in totality the jurisdiction in question affords a level of protection of fundamental rights equivalent to that guaranteed within the EU. The ECJ concluded that legislation permitting public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
“National security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” the ECJ said. “The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.”
The European Commission approved the Safe Harbour principles in July 2000 and, at that time, deemed those organizations that agreed to be bound by them to be appropriate and acceptable recipients of data transfers from EU member states. Over the last 15 years, massive amounts of data transferred between organizations in EU member states and the United States, and significant commercial arrangements worth billions of dollars have been premised on the approval and ongoing validity of the Safe Harbour.
The ECJ has struck down this cornerstone of international data sharing, with no guidance as to next steps.
It will be interesting to see if Canada and Canadian corporations – which are subject to public challenges of privacy compliance – become the beneficiary of this decision, as organizations in the United States and their EU counterparts look to Canada to house and process data for North American operations. Historically, Canada has had a strong international reputation for protecting personal information. However, the protection of personal information afforded by Canada’s privacy laws (federal and certain provincial models) have been questioned lately. Of particular interest will be whether some of the legislation (e.g., Bill C-51) introduced by the Canadian federal government affording Canadian law enforcement officials greater access to data pushes Canada into the realm of not providing adequate protection to personal information, thereby putting Canada in the same category as the United States and cutting off Canadian access to data transfers from Europe.